Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » password guessing all 5 min
  •  
dahuafschmied

Messages: 36
Karma: 5
Send a private message to this user
hi,

i have detected a case where "hacker" can guess passwords without being detected.
kerio kb: protecting-users-against-password-guessing-attacks-1439
this protection does not help.

in my case a ip address tries to guess the passwords of my users.
one try every 4-5 minutes for some days.

is there anything i can do against such attacks?

24/Feb/2015 19:39:14] Failed SMTP login from 62.141.44.18 with SASL method LOGIN.
SMTP: User student<_at_>domain.tld doesn't exist. Attempt from IP address 62.141.44.18.
Failed SMTP login from 62.141.44.18 with SASL method LOGIN.
[24/Feb/2015 19:48:09] SMTP: User student<_at_>domain.tld doesn't exist. Attempt from IP address 62.141.44.18.
[
  •  
ksnyder (KERIO)

Messages: 557
Karma: 36
Send a private message to this user
The sure way to do it would be to block the IP address (62.141.44.18) at your Firewall (is it the same IP address all the time?).

Another thing to try (no guarantee) is to add the offending IP address to a "Suspected Hackers" IP Address Group within Kerio Connect, then use a Custom Blacklist (http://kb.kerio.com/1172) to block your newly created "Suspected Hackers" IP Address Group. The reason I say "no guarantee" is that this feature appears to be designed to stop incoming messages from reaching user mailboxes when the sender IP address is a match. I'm not 100% if this would stop any authentication attempt from matching IP addresses or not, but it might be worth a try.

Ken Snyder
Director, Sales Engineering | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
dahuafschmied

Messages: 36
Karma: 5
Send a private message to this user
thank you.

i blockt the ip at my firewall.
spam blacklist is not stopping logins attempts. i tried this already.

i would search for a automated solution. for example configureable login retries count and time before blocking.
  •  
ksnyder (KERIO)

Messages: 557
Karma: 36
Send a private message to this user
Excellent - thanks for confirming that the blacklist didn't stop the login attempts. Helpful to have this confirmed in the thread.

I like your suggestion and would encourage you to add it via the User Voice process (Admin --> Dashboard --> Suggest Idea).

Ken Snyder
Director, Sales Engineering | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
vomsupport

Messages: 125
Karma: 2
Send a private message to this user
Set up fail2ban to scan the maillogs and block password guesses

http://aplawrence.com/Kerio/fail2ban.html
  •  
Grabsteinschubser

Messages: 64
Karma: 4
Send a private message to this user
I think this is a bit more comprehensive how-to: https://www.grabsteinschubser.de/2015/01/30/kerio-connect-un d-fail2ban/

It's in German, I put there some example filters and describe how to unblock accidentally blocked IP addresses. May be it's useful Smile
Previous Topic: Moving thousands of messages
Next Topic: Use "special" aliases
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Feb 22 07:12:37 CET 2017

Total time taken to generate the page: 0.01062 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.